# This file contains Kubernetes YAML files for the most important prow
# components. Don't edit resources in this file. Instead, pull them out into
# their own files.
---
apiVersion: v1
kind: Namespace
metadata:
  name: prow
---
apiVersion: v1
kind: ConfigMap
metadata:
  namespace: prow
  name: plugins
data:
  plugins.yaml: |
    plugins:
      pixie-io:
        plugins:
        - approve
        - assign
        - blunderbuss
        - cat
        - dogs
        - help
        - heart
        - hold
        - label
        - lgtm
        - trigger
        - verify-owners
        - wip
        - yuks
---
apiVersion: v1
kind: ConfigMap
metadata:
  namespace: prow
  name: config
data:
  config.yaml: |
    prowjob_namespace: prow
    pod_namespace: test-pods

    in_repo_config:
      enabled:
        "*": true

    deck:
     spyglass:
       lenses:
       - lens:
           name: metadata
         required_files:
         - started.json|finished.json
       - lens:
           config:
           name: buildlog
         required_files:
         - build-log.txt
       - lens:
           name: junit
         required_files:
         - .*/junit.*\.xml
       - lens:
           name: podinfo
         required_files:
         - podinfo.json

    plank:
      job_url_prefix_config:
        "*": https://prow.px.dev/view/
      report_templates:
        '*': >-
            [Full PR test history](https://prow.px.dev/pr-history?org={{.Spec.Refs.Org}}&repo={{.Spec.Refs.Repo}}&pr={{with index .Spec.Refs.Pulls 0}}{{.Number}}{{end}}).
            [Your PR dashboard](https://prow.px.dev/pr?query=is:pr+state:open+author:{{with
            index .Spec.Refs.Pulls 0}}{{.Author}}{{end}}).
      default_decoration_configs:
        "*":
          gcs_configuration:
            bucket: gs://px-prow
            path_strategy: explicit
          gcs_credentials_secret: gcs-credentials
          utility_images:
            clonerefs: gcr.io/k8s-prow/clonerefs:v20221011-5d4db25b24
            entrypoint: gcr.io/k8s-prow/entrypoint:v20221011-5d4db25b24
            initupload: gcr.io/k8s-prow/initupload:v20221011-5d4db25b24
            sidecar: gcr.io/k8s-prow/sidecar:v20221011-5d4db25b24

    tide:
      queries:
      - labels:
        - lgtm
        - approved
        missingLabels:
        - needs-rebase
        - do-not-merge/hold
        - do-not-merge/work-in-progress
        - do-not-merge/invalid-owners-file
        orgs:
        - pixie-io

    decorate_all_jobs: true
    periodics:
    - interval: 1m
      agent: kubernetes
      name: echo-test
      spec:
        containers:
        - image: alpine
          command: ["/bin/date"]
---
apiVersion: apps/v1
kind: Deployment
metadata:
  namespace: prow
  name: hook
  labels:
    app: hook
spec:
  replicas: 2
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 1
  selector:
    matchLabels:
      app: hook
  template:
    metadata:
      labels:
        app: hook
    spec:
      serviceAccountName: "hook"
      terminationGracePeriodSeconds: 180
      containers:
      - name: hook
        image: gcr.io/k8s-prow/hook:v20221011-5d4db25b24@sha256:f021c155e77664d0a09a5650df3b18d4d3f8f5e79c2b4b1485cabe3727cbb7e7
        imagePullPolicy: Always
        args:
        - --dry-run=false
        - --config-path=/etc/config/config.yaml
        - --github-endpoint=http://ghproxy
        - --github-endpoint=https://api.github.com
        - --github-app-id=$(GITHUB_APP_ID)
        - --github-app-private-key-path=/etc/github/cert
        env:
        - name: GITHUB_APP_ID
          valueFrom:
            secretKeyRef:
              name: github-token
              key: appid
        ports:
          - name: http
            containerPort: 8888
        volumeMounts:
        - name: hmac
          mountPath: /etc/webhook
          readOnly: true
        - name: github-token
          mountPath: /etc/github
          readOnly: true
        - name: config
          mountPath: /etc/config
          readOnly: true
        - name: plugins
          mountPath: /etc/plugins
          readOnly: true
        livenessProbe:
          httpGet:
            path: /healthz
            port: 8081
          initialDelaySeconds: 3
          periodSeconds: 3
        readinessProbe:
          httpGet:
            path: /healthz/ready
            port: 8081
          initialDelaySeconds: 10
          periodSeconds: 3
          timeoutSeconds: 600
      volumes:
      - name: hmac
        secret:
          secretName: hmac-token
      - name: github-token
        secret:
          secretName: github-token
      - name: config
        configMap:
          name: config
      - name: plugins
        configMap:
          name: plugins
---
apiVersion: v1
kind: Service
metadata:
  namespace: prow
  name: hook
spec:
  selector:
    app: hook
  ports:
  - port: 8888
  type: NodePort
---
apiVersion: apps/v1
kind: Deployment
metadata:
  namespace: prow
  name: sinker
  labels:
    app: sinker
spec:
  selector:
    matchLabels:
      app: sinker
  replicas: 1
  template:
    metadata:
      labels:
        app: sinker
    spec:
      serviceAccountName: "sinker"
      containers:
      - name: sinker
        image: gcr.io/k8s-prow/sinker:v20221011-5d4db25b24@sha256:6e52e2a43c0fb1babe08cdee42f23a3ec6115cc8ad8ab86bf96568be1b45fa2f
        args:
        - --config-path=/etc/config/config.yaml
        - --dry-run=false
        volumeMounts:
        - name: config
          mountPath: /etc/config
          readOnly: true
      volumes:
      - name: config
        configMap:
          name: config
---
apiVersion: apps/v1
kind: Deployment
metadata:
  namespace: prow
  name: deck
  labels:
    app: deck
spec:
  replicas: 2
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 1
  selector:
    matchLabels:
      app: deck
  template:
    metadata:
      labels:
        app: deck
    spec:
      serviceAccountName: "deck"
      terminationGracePeriodSeconds: 30
      containers:
      - name: deck
        image: gcr.io/k8s-prow/deck:v20221011-5d4db25b24@sha256:5abf75ef4705617d556f989e2e3593f42cb1e71d790e4bef0e676a234d88a936
        args:
        - --config-path=/etc/config/config.yaml
        - --plugin-config=/etc/plugins/plugins.yaml
        - --tide-url=http://tide/
        - --hook-url=http://hook:8888/plugin-help
        - --github-endpoint=http://ghproxy
        - --github-endpoint=https://api.github.com
        - --github-graphql-endpoint=http://ghproxy/graphql
        - --spyglass=true
        - --github-app-id=$(GITHUB_APP_ID)
        - --github-app-private-key-path=/etc/github/cert
        env:
        - name: GITHUB_APP_ID
          valueFrom:
            secretKeyRef:
              name: github-token
              key: appid
        ports:
          - name: http
            containerPort: 8080
        volumeMounts:
        - name: config
          mountPath: /etc/config
          readOnly: true
        - name: github-token
          mountPath: /etc/github
          readOnly: true
        - name: plugins
          mountPath: /etc/plugins
          readOnly: true
        - name: gcs-credentials
          mountPath: /etc/gcs-credentials
          readOnly: true
        livenessProbe:
          httpGet:
            path: /healthz
            port: 8081
          initialDelaySeconds: 3
          periodSeconds: 3
        readinessProbe:
          httpGet:
            path: /healthz/ready
            port: 8081
          initialDelaySeconds: 10
          periodSeconds: 3
          timeoutSeconds: 600
      volumes:
      - name: config
        configMap:
          name: config
      - name: github-token
        secret:
          secretName: github-token
      - name: plugins
        configMap:
          name: plugins
      - name: gcs-credentials
        secret:
          secretName: gcs-credentials
---
apiVersion: v1
kind: Service
metadata:
  namespace: prow
  name: deck
spec:
  selector:
    app: deck
  ports:
  - port: 80
    targetPort: 8080
  type: NodePort
---
apiVersion: apps/v1
kind: Deployment
metadata:
  namespace: prow
  name: horologium
  labels:
    app: horologium
spec:
  replicas: 1 # Do not scale up.
  strategy:
    type: Recreate
  selector:
    matchLabels:
      app: horologium
  template:
    metadata:
      labels:
        app: horologium
    spec:
      serviceAccountName: "horologium"
      terminationGracePeriodSeconds: 30
      containers:
      - name: horologium
        image: gcr.io/k8s-prow/horologium:v20221011-5d4db25b24@sha256:9cff5fa5754ab0d8adfe07368816eb97861aa33a6dee83141e987c12a26803c3
        args:
        - --dry-run=false
        - --config-path=/etc/config/config.yaml
        volumeMounts:
        - name: config
          mountPath: /etc/config
          readOnly: true
      volumes:
      - name: config
        configMap:
          name: config
---
apiVersion: apps/v1
kind: Deployment
metadata:
  namespace: prow
  name: tide
  labels:
    app: tide
spec:
  replicas: 1 # Do not scale up.
  strategy:
    type: Recreate
  selector:
    matchLabels:
      app: tide
  template:
    metadata:
      labels:
        app: tide
    spec:
      serviceAccountName: "tide"
      containers:
      - name: tide
        image: gcr.io/k8s-prow/tide:v20221011-5d4db25b24@sha256:5b6499763fca06f5a026f8437178db949ce954445887c5e663d7ebcd17b6f7b7
        args:
        - --dry-run=false
        - --config-path=/etc/config/config.yaml
        - --github-endpoint=http://ghproxy
        - --github-endpoint=https://api.github.com
        - --github-graphql-endpoint=http://ghproxy/graphql
        - --gcs-credentials-file=/etc/gcs-credentials/service-account.json
        - --status-path=gs://px-prow/tide-status
        - --history-uri=gs://px-prow/tide-history.json
        - --github-app-id=$(GITHUB_APP_ID)
        - --github-app-private-key-path=/etc/github/cert
        env:
        - name: GITHUB_APP_ID
          valueFrom:
            secretKeyRef:
              name: github-token
              key: appid
        ports:
          - name: http
            containerPort: 8888
        volumeMounts:
        - name: github-token
          mountPath: /etc/github
          readOnly: true
        - name: config
          mountPath: /etc/config
          readOnly: true
        - name: gcs-credentials
          mountPath: /etc/gcs-credentials
          readOnly: true
      volumes:
      - name: github-token
        secret:
          secretName: github-token
      - name: config
        configMap:
          name: config
      - name: gcs-credentials
        secret:
          secretName: gcs-credentials
---
apiVersion: v1
kind: Service
metadata:
  namespace: prow
  name: tide
spec:
  selector:
    app: tide
  ports:
  - port: 80
    targetPort: 8888
  type: NodePort
---
apiVersion: networking.gke.io/v1
kind: ManagedCertificate
metadata:
  namespace: prow
  name: px-prow-managed-cert
spec:
  domains:
  - prow.px.dev
---
apiVersion: networking.gke.io/v1beta1
kind: FrontendConfig
metadata:
  namespace: prow
  name: px-prow-frontend-config
spec:
  sslPolicy: gke-ingress-ssl-policy
  redirectToHttps:
    enabled: false
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  namespace: prow
  name: prow
  annotations:
    kubernetes.io/ingress.class: "gce"
    kubernetes.io/ingress.global-static-ip-name: px-prow-external-ipaddr
    networking.gke.io/managed-certificates: px-prow-managed-cert
    networking.gke.io/v1beta1.FrontendConfig: "px-prow-frontend-config"
spec:
  defaultBackend:
    # specify the default backend for `ingress-gce` (https://cloud.google.com/kubernetes-engine/docs/concepts/ingress#default_backend)
    service:
      name: deck
      port:
        number: 80
  rules:
  - host: prow.px.dev
    http:
      paths:
      - path: /
        pathType: ImplementationSpecific
        backend:
          service:
            name: deck
            port:
              number: 80
      - path: /hook
        pathType: ImplementationSpecific
        backend:
          service:
            name: hook
            port:
              number: 8888
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: statusreconciler
  namespace: prow
  labels:
    app: statusreconciler
spec:
  replicas: 1
  selector:
    matchLabels:
      app: statusreconciler
  template:
    metadata:
      labels:
        app: statusreconciler
    spec:
      serviceAccountName: statusreconciler
      terminationGracePeriodSeconds: 180
      containers:
      - name: statusreconciler
        image: gcr.io/k8s-prow/status-reconciler:v20221011-5d4db25b24@sha256:ae1061a7fcd2c9892312baef45847f72bba693fece043c2fef95dc692a96380d
        args:
        - --dry-run=false
        - --continue-on-error=true
        - --plugin-config=/etc/plugins/plugins.yaml
        - --config-path=/etc/config/config.yaml
        - --github-endpoint=http://ghproxy
        - --github-endpoint=https://api.github.com
        - --gcs-credentials-file=/etc/gcs-credentials/service-account.json
        - --status-path=gs://px-prow/status-reconciler-status
        - --github-app-id=$(GITHUB_APP_ID)
        - --github-app-private-key-path=/etc/github/cert
        env:
        - name: GITHUB_APP_ID
          valueFrom:
            secretKeyRef:
              name: github-token
              key: appid
        volumeMounts:
        - name: github-token
          mountPath: /etc/github
          readOnly: true
        - name: config
          mountPath: /etc/config
          readOnly: true
        - name: plugins
          mountPath: /etc/plugins
          readOnly: true
        - name: gcs-credentials
          mountPath: /etc/gcs-credentials
          readOnly: true
      volumes:
      - name: github-token
        secret:
          secretName: github-token
      - name: config
        configMap:
          name: config
      - name: plugins
        configMap:
          name: plugins
      - name: gcs-credentials
        secret:
          secretName: gcs-credentials
---
apiVersion: v1
kind: Namespace
metadata:
  name: test-pods
---
kind: ServiceAccount
apiVersion: v1
metadata:
  namespace: prow
  name: "deck"
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: prow
  name: "deck"
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: "deck"
subjects:
- kind: ServiceAccount
  name: "deck"
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: test-pods
  name: "deck"
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: "deck"
subjects:
- kind: ServiceAccount
  name: "deck"
  namespace: prow
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: prow
  name: "deck"
rules:
  - apiGroups:
      - "prow.k8s.io"
    resources:
      - prowjobs
    verbs:
      - get
      - list
      - watch
      # Required when deck runs with `--rerun-creates-job=true`
      # **Warning:** Only use this for non-public deck instances, this allows
      # anyone with access to your Deck instance to create new Prowjobs
      # - create
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: test-pods
  name: "deck"
rules:
  - apiGroups:
      - ""
    resources:
      - pods/log
    verbs:
      - get
---
kind: ServiceAccount
apiVersion: v1
metadata:
  namespace: prow
  name: "horologium"
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: prow
  name: "horologium"
rules:
  - apiGroups:
      - "prow.k8s.io"
    resources:
      - prowjobs
    verbs:
      - create
      - list
      - watch
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: prow
  name: "horologium"
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: "horologium"
subjects:
- kind: ServiceAccount
  name: "horologium"
---
kind: ServiceAccount
apiVersion: v1
metadata:
  namespace: prow
  name: "sinker"
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: prow
  name: "sinker"
rules:
  - apiGroups:
    - "prow.k8s.io"
    resources:
    - prowjobs
    verbs:
    - delete
    - list
    - watch
    - get
  - apiGroups:
    - coordination.k8s.io
    resources:
    - leases
    resourceNames:
    - prow-sinker-leaderlock
    verbs:
    - get
    - update
  - apiGroups:
    - coordination.k8s.io
    resources:
    - leases
    verbs:
    - create
  - apiGroups:
    - ""
    resources:
    - configmaps
    resourceNames:
    - prow-sinker-leaderlock
    verbs:
    - get
    - update
  - apiGroups:
    - ""
    resources:
    - configmaps
    - events
    verbs:
    - create
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: test-pods
  name: "sinker"
rules:
  - apiGroups:
      - ""
    resources:
      - pods
    verbs:
      - delete
      - list
      - watch
      - get
      - patch
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: prow
  name: "sinker"
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: "sinker"
subjects:
- kind: ServiceAccount
  name: "sinker"
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: test-pods
  name: "sinker"
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: "sinker"
subjects:
- kind: ServiceAccount
  name: "sinker"
  namespace: prow
---
apiVersion: v1
kind: ServiceAccount
metadata:
  namespace: prow
  name: "hook"
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: prow
  name: "hook"
rules:
  - apiGroups:
      - "prow.k8s.io"
    resources:
      - prowjobs
    verbs:
      - create
      - get
      - list
      - update
  - apiGroups:
      - ""
    resources:
      - configmaps
    verbs:
      - create
      - get
      - update
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: prow
  name: "hook"
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: "hook"
subjects:
- kind: ServiceAccount
  name: "hook"
---
apiVersion: v1
kind: ServiceAccount
metadata:
  namespace: prow
  name: "tide"
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: prow
  name: "tide"
rules:
  - apiGroups:
      - "prow.k8s.io"
    resources:
      - prowjobs
    verbs:
      - create
      - list
      - get
      - watch
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: prow
  name: "tide"
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: "tide"
subjects:
- kind: ServiceAccount
  name: "tide"
---
apiVersion: v1
kind: ServiceAccount
metadata:
  namespace: prow
  name: "statusreconciler"
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: prow
  name: "statusreconciler"
rules:
  - apiGroups:
      - "prow.k8s.io"
    resources:
      - prowjobs
    verbs:
      - create
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: prow
  name: "statusreconciler"
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: "statusreconciler"
subjects:
- kind: ServiceAccount
  name: "statusreconciler"
---
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
  namespace: prow
  labels:
    app: ghproxy
  name: ghproxy
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 100Gi
---
apiVersion: apps/v1
kind: Deployment
metadata:
  namespace: prow
  name: ghproxy
  labels:
    app: ghproxy
spec:
  selector:
    matchLabels:
      app: ghproxy
  strategy:
    type: Recreate
  # GHProxy does not support HA
  replicas: 1
  template:
    metadata:
      labels:
        app: ghproxy
    spec:
      containers:
      - name: ghproxy
        image: gcr.io/k8s-prow/ghproxy:v20221011-5d4db25b24@sha256:5bb79645bda90ef094e65ce11747beec2dfadbe57d48acb9cc38309353036f8d
        args:
        - --cache-dir=/cache
        - --cache-sizeGB=99
        - --push-gateway=pushgateway
        - --serve-metrics=true
        ports:
        - containerPort: 8888
        volumeMounts:
        - name: cache
          mountPath: /cache
      volumes:
      - name: cache
        persistentVolumeClaim:
          claimName: ghproxy
---
apiVersion: v1
kind: Service
metadata:
  labels:
    app: ghproxy
  namespace: prow
  name: ghproxy
spec:
  ports:
  - name: main
    port: 80
    protocol: TCP
    targetPort: 8888
  - name: metrics
    port: 9090
  selector:
    app: ghproxy
  type: ClusterIP
---
apiVersion: apps/v1
kind: Deployment
metadata:
  namespace: prow
  name: prow-controller-manager
  labels:
    app: prow-controller-manager
spec:
  replicas: 1
  selector:
    matchLabels:
      app: prow-controller-manager
  template:
    metadata:
      labels:
        app: prow-controller-manager
    spec:
      serviceAccountName: prow-controller-manager
      containers:
      - name: prow-controller-manager
        args:
        - --dry-run=false
        - --config-path=/etc/config/config.yaml
        - --github-endpoint=http://ghproxy
        - --github-endpoint=https://api.github.com
        - --enable-controller=plank
        - --github-app-id=$(GITHUB_APP_ID)
        - --github-app-private-key-path=/etc/github/cert
        env:
        - name: GITHUB_APP_ID
          valueFrom:
            secretKeyRef:
              name: github-token
              key: appid
        image: gcr.io/k8s-prow/prow-controller-manager:v20221011-5d4db25b24@sha256:1c527b5ee1000024dbe8cfb55cea80334e02fcbeb30eb36e634a31fd1ad250b6
        volumeMounts:
        - name: github-token
          mountPath: /etc/github
          readOnly: true
        - name: config
          mountPath: /etc/config
          readOnly: true
      volumes:
      - name: github-token
        secret:
          secretName: github-token
      - name: config
        configMap:
          name: config
---
apiVersion: v1
kind: ServiceAccount
metadata:
  namespace: prow
  name: prow-controller-manager
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: prow
  name: prow-controller-manager
rules:
  - apiGroups:
    - "prow.k8s.io"
    resources:
    - prowjobs
    verbs:
    - get
    - list
    - watch
    - update
    - patch
  - apiGroups:
    - coordination.k8s.io
    resources:
    - leases
    resourceNames:
    - prow-controller-manager-leader-lock
    verbs:
    - get
    - update
  - apiGroups:
    - coordination.k8s.io
    resources:
    - leases
    verbs:
    - create
  - apiGroups:
    - ""
    resources:
    - configmaps
    resourceNames:
    - prow-controller-manager-leader-lock
    verbs:
    - get
    - update
  - apiGroups:
    - ""
    resources:
    - configmaps
    - events
    verbs:
    - create
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: test-pods
  name: prow-controller-manager
rules:
  - apiGroups:
      - ""
    resources:
      - pods
    verbs:
      - delete
      - list
      - watch
      - create
      - patch
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: prow
  name: prow-controller-manager
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: prow-controller-manager
subjects:
- kind: ServiceAccount
  name: prow-controller-manager
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: test-pods
  name: prow-controller-manager
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: prow-controller-manager
subjects:
- kind: ServiceAccount
  name: prow-controller-manager
  namespace: prow
---
apiVersion: apps/v1
kind: Deployment
metadata:
  namespace: prow
  name: crier
  labels:
    app: crier
spec:
  replicas: 1
  selector:
    matchLabels:
      app: crier
  template:
    metadata:
      labels:
        app: crier
    spec:
      serviceAccountName: crier
      terminationGracePeriodSeconds: 30
      containers:
      - name: crier
        image: gcr.io/k8s-prow/crier:v20221011-5d4db25b24@sha256:91d8ea8210a1d836b4872002d7eba19c17d2b40bffabecdd52e722f1611ea37c
        args:
        - --blob-storage-workers=10
        - --config-path=/etc/config/config.yaml
        - --gcs-credentials-file=/etc/gcs-credentials/service-account.json
        - --github-endpoint=http://ghproxy
        - --github-endpoint=https://api.github.com
        - --github-workers=10
        - --kubernetes-blob-storage-workers=10
        - --github-app-id=$(GITHUB_APP_ID)
        - --github-app-private-key-path=/etc/github/cert
        env:
        - name: GITHUB_APP_ID
          valueFrom:
            secretKeyRef:
              name: github-token
              key: appid
        volumeMounts:
        - name: config
          mountPath: /etc/config
          readOnly: true
        - name: github-token
          mountPath: /etc/github
          readOnly: true
        - name: gcs-credentials
          mountPath: /etc/gcs-credentials
          readOnly: true
      volumes:
      - name: config
        configMap:
          name: config
      - name: github-token
        secret:
          secretName: github-token
      - name: gcs-credentials
        secret:
          secretName: gcs-credentials
---
kind: ServiceAccount
apiVersion: v1
metadata:
  name: crier
  namespace: prow
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: prow
  name: crier
rules:
- apiGroups:
    - "prow.k8s.io"
  resources:
    - "prowjobs"
  verbs:
    - "get"
    - "watch"
    - "list"
    - "patch"
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: test-pods
  name: crier
rules:
- apiGroups:
    - ""
  resources:
    - "pods"
    - "events"
  verbs:
    - "get"
    - "list"
- apiGroups:
    - ""
  resources:
    - "pods"
  verbs:
    - "patch"
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: crier
  namespace: prow
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: crier
subjects:
- kind: ServiceAccount
  name: crier
  namespace: prow
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: crier
  namespace: test-pods
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: crier
subjects:
- kind: ServiceAccount
  name: crier
  namespace: prow
